FutureVuls > English > Manual > Choices and features of scan methods > Linux OS Package Scan

Linux OS Package Scan

As of October 2021, vulnerabilities in software under the Linux package manager’s management can be identified by the following methods:

Vuls scan
Trivy scan (Docker image)
Paste scan

Let’s explain the features of each of them.

Vuls scan

This is a method of scanning via Vuls scanner and uploading configuration information to cloud services. Refer to supported environments for the scan targets.

Container scan

It is recommended to detect images in the container registry using trivy and upload to FutureVuls. It can also be integrated into a CI/CD pipeline. Refer to supported environments for the scan targets.

A method of integrating with cloud service container registries is also available. This is compatible with AWS and GCP DockerRegistries. Refer to supported environments for the scan targets.

Paste scan

Paste scan allows for vulnerability management in environments where it is difficult to introduce scanners.

Closed area environment isolated from the Internet
Environment where uploading to external SaaS is prohibited
Environment where the scanner program cannot be installed on the server

Execute several commands to obtain configuration information on the server, and just copy and paste the execution result of the command onto the FutureVuls screen to complete registration.

With the developer REST API you can create and update paste servers with REST APIs.

How to register a Paste scan

Let’s explain the steps from registering configuration information to performing vulnerability scans.

Server > Add server > Add PASTE server
Enter server name
Select the type of OS
Paste OS version information
Paste information on the currently running kernel release
Paste the list of installed packages
Click “Manual scan” on the server detail screen

Refer to supported environments for the scan targets.

Add PASTE server Add PASTE server button

Enter server name, OS type, etc.

Paste the list of installed packages

Once registered, you can detect vulnerabilities by clicking on Manual Scan.

Updating paste server by package update

If you update the package of the relevant server and change the configuration information, update it from the Edit button in the Server Information section on the server details screen. In the next scan, detection processing will be performed based on the updated configuration information. Tasks resolved by package updates are automatically changed to the “Patch_Applied” status.

Required information and acquisition method for paste server registration

OS	Version	Kernel Release	Kernel Version	Packages
CentOS	cat /etc/redhat-release	uname -r	-	rpm -qa –queryformat “%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH}\n”
RHEL	cat /etc/redhat-release	uname -r	-	rpm -qa –queryformat “%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH}\n”
Amazon Linux	awk ‘{if ($0 ~ /Amazon Linux release (2022	2023)/) print $4; else if ($0 ~ /Amazon Linux release 2/) printf("%s %s “,$4, $5); else if ($0 ~ /Amazon Linux 2/) for (i=3; i<=NF; i++) printf("%s “, $i); else if (NF==5) print $5}’ /etc/system-release	uname -r	-
Debian	cat /etc/debian_version	uname -r	uname -a \| awk ‘{print $7}’	dpkg-query -W -f=”${binary:Package},${db:Status-Abbrev},${Version},${Source},${source:Version}\n”
Ubuntu	lsb_release -sr \| awk ‘{print $1}’	uname -r	-	dpkg-query -W -f="${binary:Package},${db:Status-Abbrev},${Version},${Source},${source:Version}\n"
Windows	-	-	-	(Get-Hotfix \| Select-Object -Property HotFixID \| % { If ($_ -match ‘(KB\d{6,7})’) { $Matches[0] }}) -Join ‘,’

If you want to register an OS other than the above, display the dialog box for creating a paste server on the FutureVuls screen and confirm it.

Mechanism of OS package scan

Linux packages are updated using the backport mechanism. In FutureVuls, detection processing is performed using Security Tracker or OVAL provided by Linux distributors. These vulnerability databases contain “actually backported version numbers” corresponding to each OS, allowing for accurate detection.

Please refer to the source code of OSS for detailed detection logic of each scan method.

We are often asked if we can accurately detect vulnerabilities by registering OS or package CPEs. Due to frequent false positives, CPE scans for OS packages are not recommended. For more information, please refer to the FAQ>CPE Scan section.